Insering a ' to a MySQL database problems

[phpjayx]

Whenever I insert a ' as part of a string is comes out as for example: Johnny\'s

 

How do go and replace that with some character code string that works... ? Doing google searches isn't getting me very far in this...

 

Thanks in advance

[requinix]

Turn off the magic_quotes php.ini setting, and make sure you're safe against SQL injection.

[DavidAM]

... comes out as ...

 

Where exactly does it "come out" with a backslash? In the database? In a web page? Somewhere else?

 

You should be using an appropriate escaping function, such as mysql_real_escape_string, before writing a value to the database. But you should not be using that same function on data being sent to a web page. Which means you should only escape for the database when building the query.

 

WRONG

$name = mysql_real_escape_string($_POST['name']);

$sql = "INSERT INTO table VALUES('$name')";

echo $name;

 

 

NOT WRONG

$name = $_POST['name'];

$sql = "INSERT INTO table VALUES('" . mysql_real_escape_string($name) . "')";

echo htmlspecialchars($name);

[Barand]

A requinix said, it's the magic_quotes.

 

If ON, your data has slashes added automatically, so "O'Donnel" is passed from the form as "O\'Donnel". If you then addslashes or real_escape the data it becomes "O\\\'Donnel" which then gets written the database as "O\'Donnel"

[phpjayx]

Interesting... I found it, turned it off, its still inserting / into my database....

Really its from the Initial PHP form -->.JS--->PHP (looking in my Charles debugger, it shows correct in the Posting)-, then using the

$name= $_POST['name']; --->.JS --->php to write it to MySQL database

It messes up somehwere in these last few transfers, which I'm not exactly sure where..... Still hunting.

[jazzman1]

After you turned it off, did you restart the web server?

[phpjayx]

Ahhhh I did not restart the server.... thanks for that......!